Feeds

Plan B from Petty France - the other UK ID card

Or more properly, the real one?

High performance access to file storage

Passports are issued under Royal Prerogative, effectively executive powers of the monarch which are exercised by Government Ministers. These powers include the right to grant and revoke passports, exercised by the Home Secretary and the Foreign Secretary.

Three years ago Parliament's Public Administration Select Committee suggested that this and other aspects of the Royal Prerogative (starting wars, that kind of stuff) be put on a more formal statutory basis, but the Department of Constitutional Affairs declined to pursue the matter, observing on passports that "successive Governments have taken the view that the non-statutory system has worked well and that change is not required."

The Government did, last year, say that it could add fingerprints to passports via the Royal Prerogative, but as all of the Passport Service's identity-related plans are going ahead with or without the ID Card Bill, clearly it's all happening under the Prerogative.

Which you might reckon stretches the legal framework well beyond breaking point. Lack of Parliamentary oversight? You ain't seen nothing yet.

It is practically impossible to justify the UK Passport Service's identity management plans as being encompassed by a Royal Prerogative intended simply to cover the granting and revoking of passports, even taking into account the requirements of new international standards. As far as biometric passports are concerned, it's been pointed out repeatedly (not least by The Register that in order to conform to ICAO standards the UK need only add a chip containing a digitised passport photograph to existing passports (which is what the Passport Service is actually doing for biometric passport phase one in this very quarter).

There is no need for a biometric database or online checking, because the thinking underlying the ICAO biometric passport standard is that it should be possible to link the bearer to the document by locally checking the bearer's biometrics against those held on the document. So long as you're confident the document isn't forged or fraudulently issued, you don't even need to keep the biometric data in a database - you could even, as some countries intend to do, just throw it away. You know the document is genuine, hence you know the person is genuine, and you don't need any other information.

Nor (we've said this a lot too) does the UK need to add fingerprints to its passports. The EU's Schengen countries are currently committed to do so, but the UK is not a Schengen country, and does not have to conform to this standard. But again, if we wish to add fingerprints in anticipation of their becoming a widespread international requirement, we could do this on the basis that the individual was matched locally against the document, and for the specific purposes of passport issue and administration we do not need to have the fingerprint data online, or even retained.

There's clearly an argument that even the Passport Office's move from document-centric to person-centric and the consequential construction of its version of the NIR steps beyond the Royal Prerogative (which covers documents, not people). The assertion, "All of those items are coming anyway, and the passport service will have to provide for them" most certainly goes many steps beyond it.

There may well be arguments that commercial demand (should such a thing really exist) for identification services from Government should be met, and we may all view it as a good idea for a database of all UK citizens' fingerprints to exist to allow for "the checking of unidentified fingerprints at scenes of crime" (which was put forward by Baroness Scotland as one of the "extra benefits" of the ID scheme). But it is by no means obvious that the Passport Service has the powers to provide these things, that it is the appropriate department to do so, or that providing them via a centralised Government identity monopoly is the sensible way to do it.

If the ID Cards Bill becomes law, then the legal framework changes. The legislation could be said to place the Passport Service's identity operations on a statutory basis, overseen by the new authority the Passport Service will become, and therefore "all of these items that are coming anyway" will be retrospectively legitimised. But if the Bill doesn't become law, and all of these items continue to come, anyway, then there will be a whole growing edifice there we should be asking a lot of hard questions about. And under the circumstances, maybe the Queen should be asking a few herself... ®

SANS - Survey on application security programs

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.